HTB: BoardLight - OSCP Prep Write-up
BoardLight chains together a few classic techniques: subdomain discovery leading to an exposed ERP, authenticated RCE via a known CVE, credential reuse to pivot to a real user, and a SUID binary chain to root. Machine info Name BoardLight Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals crm.board.htb running Dolibarr 17.0.0 Default admin:admin credentials get us in CVE-2023-30253 - PHP code injection via the website module - gives shell as www-data Database credentials in conf.php are reused by user larissa for SSH CVE-2022-37706 - Enlightenment SUID LPE - escalates to root Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...